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Why Collect Malware? 
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Hex dump of the Blaster Worm 
with a message for Bill Gates 

Can be evidence of state 
repression 


i Enhances histories of software development, 

I Net Art, hacking, and political activism—all of 
i the social (and anti-social) uses of computing 


f May provide information about the habits 
\ or lives of individual computer users 


-X 


<Attila_Nagy> Computer 
viruses are almost as old 
as personal computers 
themselves...Within each 
code is a story about its 
author, about the time it 
was written, and about the 
state of computing when 
it wrought havoc upon our 
hard drives. 



/ 





To date, no cultural heritage institution is committed to collecting and preserving malware. 


The WANK Worm 


Released in 1989, the WANK worm spread first through NASA computers and then throughout the world. WANK is 
considered the first instance of hacktivism and would be an important piece of malware to collect. The identity of 
the worm's creator(s) are unknown, although its coding was traced to Melbourne, Australia. (Dreyfus and Assange) 



MAKE SPACE FOR PEACE 


January 28, 1989 
Kennecfy Space Center 
NASA Causeway) 

:00 p.m. 



Join us on this Third 
Anniversary of the Challenger 
disaster as we call for an end to 
nuclear flight testing and a ban on 
weapons in spoce. We demand that 
our spoce program be used for the good 
of human land, not for the preparation for wor. 

ENTERTAINERS 

— Mery Am DM Jo & Ghwi G-g— flaFwpol 



Payload screen of a computer infected with the WANK 
worm. Despite the message, no files were deleted. 


Flyer from Florida Coalition for Peace and 
Justice. In 1989 the group protested the launch 
of the Galileo space probe. WANK's creator(s) 
were likely sympathetic to this group. 


Nearly all of NASA's computers 
on the SPAN network were 
infected. The US DOE was 
affected as well. The worm 
spread as far as Switzerland 
and Japan over DECNet. 


Preservation Strategies 


Preservation strategies will depend on research goals. Do researchers want to analyze the 
code, see malware demonstrated, or do they want to see malware infections "in the wild"? 




> Save source code, compiled code, or 'snapshots' of code 


> Take screen captures and recording video demonstrations 


> Record oral histories of those affected or of malware creators 


> Collect ancillary materials, including posts on security message boards, emails, articles, & websites 


> Save snapshots of command-and-control servers of a botnet 


Collecting Institutions Encountering Malware 



Archives, museums, and libraries encounter various types of malware 
when accessioning born-digital material (such as hard drives, disks, 
and email) into their collections. 

"Current digital archival practice often treats virus checking and 
quarantine as an unproblematic aspect of ingesting digital objects... 
often before any formal appraisal is done." (Gruning) Currently, there 
is no standard procedure for documenting the infection or removal of 
malware so that this information is available to researchers. 


Are "Cleaned 11 Files Authentic? 


Collecting institutions strive to preserve bit-for-bit copies of hard 
drives and disks when they process them using digital forensics 
tools. However, by removing malware, removing viral code from 
files, or quarantining infected files, bits are being altered. Are these 
actions altering the authenticity of the items accessioned? 

If malware must be removed, how can it be documented 
in a standardized way that is accessible to researchers? 





Issues with Anti-Virus Software 



Incorrect identification of malware or variants: 
Institutions don't know what they actually have 

Different classification systems between AV companies: 
Metadata is not standardized 


Risk Assessment 


<Jane_Gruning> Archives 
are creating a gap in 
the history of computers 
and their use in our 
society—a gap that we 
could potentially avoid... 
Archivists need to rethink 
how we, as a profession, 
are addressing this issue. 


Saving malware should not be taken lightly. Conducting a risk assessment is necessary. However, the full capabilities of a 
particular piece of malware are often unknown. Some considerations: 


> Malware can inhibit 
access to disks or files 


> It can damage the integrity of files 


> It can allow unauthorized access 
to computers or networks 


> Sophisticated malware * weapons I > Preserving contemporary malware may inadvertently aid law enforcement 


Institutions can start by collecting malware that is historically significant and well-understood 
and whose effects are innocuous then move on to harder cases as they gain more experience. 


Source code of the Morris 
Worm at the Computer 
History Museum. Saving 
physical objects like disks 
is an extremely limited 
preservation strategy. 


Preserving malware will likely require an “electronic art approach,” (Besser) 
acknowledging its variability and saving related contextual items. Archivists and librarians 
will need to: 


Employ various 
preservation strategies 
simultaneously 



Make decisions on a 
case-by-case basis 


<VIRUSES> {WORMS} (TROJAN HORSES) [BACKDOORS] 
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A Viral Dark Archive? 


If disk images of infected items are saved, where will they be stored 
safely? Jane Gruning and others have suggested creating a dark archive of 
non-network-connected storage and keeping malware there for a period of 
years until it becomes less of a threat due to operating system and hardware 
obsolescence. 


{ROOTKITS} [BOTNETS]<SPYWARE>(RANSOMWARE) 

































































































